Introduction

This document describes the steps that are taken when the VMware View client on the Cisco Virtualization Experience Client 6215 (VXC-6215) fails to connect to the VMware View Connection Server (VCS) because of defect CSCuy03183 .

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Administration of VXC clients using VXC Manager (VXCM)

Configuration of VXC clients using INI configuration files

(optional) Basic usage of the open-source OpenSSL software

Components Used

The information in this document is based on these software and hardware versions:

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

Platform bundle 10.6 for the VXC-6215 contains version 3.1 of the VMware View client for Linux. This client version was built with the OpenSSL 1.0.1h libraries. However, the base operating system of the VXC-6215 uses OpenSSL version 0.9.8j, causes the View client to be unable to locate the trusted CA certificates installed by VXCM.

Problem

Vmware View Client on VXC6215 Cannot Validate Server Certificate

When VMware View client to connect to a View Connection Server is used, the client shows a pop-up window with the message "Failed to connect to the Connection Server. The server provided an invalid certificate: The certificate authority is invalid or incorrect." and refuses to connect, as shown in this image.

Solution

Ask your Certificate Authority (CA) to provide you with the CA certificate (as well as any intermediate CA certificate(s), if applicable) in PEM format, or convert the CA certificate(s) from Distinguished Encoding Rules (DER) to PEM format yourself.

For example, This can be done with the usage of a command (assuming your DER-encoded certificate's filename is cacert.crt) on a system with OpenSSL installed:

openssl x509 -inform DER -in cacert.crt -out cacert.pem

Repeat, if necessary for the Root CA and all Intermediate CAs in the certificate chain.

Step 2. Place the PEM-formatted certificates on the repository server.

Copy the PEM files to the directory that currently holds your certificates, in a default setup this is C:\inetpub\ftproot\Rapport\<yourpackagename>\wlx\certs on the VXCM server.

Step 3. Configure VXCM to send the PEM-formatted certicicates to the client.

In the wlx.ini file of your platform package (typically located at C:\inetpub\ftproot\Rapport\<yourpackagename>\wlx\wlx.ini), replace the filenames of the certificates in the Certs options to the filenames of the PEM files, for example, replace the line:

Certs=cacert.crt,intermediateCA1.crt,intermediateCA2.crt

with:

Certs=cacert.pem,intermediateCA1.pem,intermediateCA2.pem

Step 4. Reboot the client.

When the VXC-6215 is rebooted, it causes to download the updated wlx.ini file from VXCM which in turn causes the client to download the PEM-encoded certificate(s).